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Abstract. 

Distance bounding protocols are used by nodes in wireless networks for the crucial purpose of es- 
timating their distances to other nodes. This typically involves sending a request by one node to 
another node, receiving a response, and then calculating an upper bound on the distance by multi- 
plying the round-trip time with the velocity of the signal. However, dishonest nodes in the network 
can turn the calculations both illegitimate and inaccurate when they participate in protocol execu- 
tions. Therefore, it is important to analyze protocols for the possibility of such violations. Past efforts 
to analyze distance bounding protocols have only been manual. However, automated approaches 
are important since they are quite likely to find flaws that manual approaches cannot, as witnessed 
many times in the literature of key establishment protocols. 

In this paper, we use the constraint solver tool to automatically analyze distance bound- 
ing protocols: We first formulate a new trace property called Secure Distance Bounding (SDB) that 
protocol executions must satisfy. We then classify the scenarios in which these protocols can operate 
considering the (dis)honesty of nodes and location of the attacker in the network. Finally, we ex- 
tend the constraint solver tool so that it can be used to test protocols for violations of SDB in those 
scenarios and illustrate our technique on several examples that include new attacks on published 
protocols. We also hosted an on-line demo for the reader to check out our implementation. 



1 Introduction 

A distance bounding (DB) protocol is used by a "verifier" node in wireless networks to 
calculate an upper bound on the distance to a "prover" node in the network. Distance 
bounding helps in crucial applications such as localization, location discovery and time 
synchronization. Hence, the security of DB protocols is an important and critical problem. 
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Figure 1: (a) Extended Echo protocol PI (b) Man-in- the-Middle Attack on PI 
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As an example of a DB protocol, consider a simple extension of the Echo protocol (Fig. 
[T]a) presented in [llj. In the figure, V is the verifier, P is the prover; Ny is a nonce; 
^^Spk{P) ( Wv, y, P] ) is the signature of P to be verified with it's public-key, denoted 
pA:(P). Let be the time on the clock when event i occurs. Then, V can calculate the 
bound 'd' on the distance to P as: d = - (t3-t2) ^ where 's' is the speed 

of the signal. 

In the presence of attackers, DB protocols can fail to achieve their main goal of establish- 
ing a valid distance bound. For instance, the above protocol has a possible attack wherein 
an attacker i plays Man-In-The-Middle and succeeds in showing p as being closer to 

than it really is (Fig. [l]b). 

Analysis of DB protocols involves examining whether it is possible to make a party ap- 
pear closer than it really is, to an honest verifier. The problem is different and difficult com- 
pared to standard Dolev-Yao analysis of protocols that only consider whether an attacker 
can generate messages required to violate some security property. Here, we need to factor 
in the time required for message generation as well, which can vary based on the input size 
and cryptographic parameters. Automated analysis is much desired, given the problems 
and distrust in manual analysis of protocols that have been reported in literature [5]. There 
have been numerous instances when automated techniques found attacks on protocols that 
manual, hand-based techniques could not (e.g. ISllZllll). 

Past work. The few published efforts to analyze DB protocols have been largely incom- 
plete: The classical work of Brands and Chaum [2J is mostly informal and specific to the 
protocols introduced in that paper. Sastry et al. IITTl show that in their "Echo" protocol, the 
prover cannot respond before receiving the verifier's nonce but the protocol is used only 
for "in-range" verification and also too simple without any authentication. Meadows et al. 
||8| give a method to analyze both distance bounding and authentication aspects, but the 
method like the previous two, is manual, not automated. 

Our contribution. To address these concerns, we will show a method to automatically an- 
alyze DB protocols using the constraint solving technique of Millen-Shmatikov. Our method 
is based on formal modeling of timed protocols and distance bounding properties. Further, 
it is fully automated with minor changes to the existing constraint solveij§] Some highlights 
of our contribution are: 

1. Like many past strand space extensions, our formal modeling and framework give a 
simple, clean and useful geometric flavor to the study of DB protocols that could be 
used or extended to many other studies such as localization algorithms; 

2. Some properties we prove about DB protocols allow the use of conventional Dolev- 
Yao style analysis, completely eliminating the need to consider the more complicated 
timing aspects. This is useful when it is difficult to extend existing methods for con- 
ventional key establishment protocols to analyze or verify DB protocols (e.g. ProVerif 

m). 



tWe use lower case for v and p now since we are referring to the protocol execution. 

§on-line demo at http : / / homepages . dsu . edu/malladis/ research/ ConSolv/Webpage/ 
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Organization. We will first develop a timed protocol model extending strand spaces in 
Section |2] We will then explain how constraint solving can be used to generate timed pro- 
tocol executions in Section |3j We will formalize secure distance bounding and explain our 
technique to detect violations for it in Section [4j We will identify the scenarios under which 
DB protocols need to be analyzed in Section pT We will illustrate our analysis approach on 
some examples in Section |6| and conclude with a discussion of future and related works. 

2 Protocol model - Timed strand spaces 

Our protocol model is based on the strand space model of [14] extended with the introduc- 
tion of a new field, "time" for labels on nodes. This field is used to represent the current 
time on the clock at the node for an agent. 

Definition 1. [Node] A node is a 3-tuple with fields time, sign, and term. Time 
is the current time on the clock, sign can be + or — denoting "send" and "receive" 
respectively and term to be defined next. 

We will describe how to populate the times on nodes partly in this section and partly 
in the next section. We consider protocols in which messages are constructed using a free 
term algebra: 

Definition 2. [Term] A term is one of the following: Variable (can be of types Agent, 
Nonce etc.); Constant (numbers 1, 2, . . .; name of the attacker e etc.); Atom; Pair 
denoted [^1,^2] if h and ^2 are terms; Public-Key denoted pk{A) with A of type 
Agent; Shared-Key denoted sh{A,B) with A and B of type Agent; Asymmetric 
encryption denoted [t]j^ where t and k are terms; Symmetric encryption denoted 
[t]p where t and k are terms; Hash denoted h{t) where t is a term; Signature 
of a term t denoted Sig^f^(^y^^{t) to be validated using pk{A). 

A "ground" term is any term with no variables in it. We will drop the superscript — > 
or <-> if the mode of encryption is contextually either obvious or irrelevant. 

Definition 3. [Subterm] Term t is a subterm of t' (i.e. t C t') if t = t', or if 
t' = [ti,t2] with t \Z ti \/ t \Z t2, or ift' = [t"]k' with t \Z t" , or if t' = h{t") with 
t \Z t , or if t' = Sigp^j^^^{t ) with t \Z t . Term t is a proper subterm of if 

{t^t')^{t^t'). 

Strands capture roles of a protocol. 

Definition 4. [Strand] A strand is a sequence of nodes. For instance s = {n-[, . . . ,nm) 
is a strand with m nodes. Nodes in a strand are related by the edge defined such that 
if n, and n,+i belong to the same strand, then n, => n,+i. A parametric strand is a 
strand with no atoms in the terms on its nodes. 

Protocol roles are modeled as partially instantiated parametric strands that we name 
semi-strands where messages contain variables and atoms depending on the knowledge 
of agents concerning message subparts. For instance, the verifier strand of the protocol 
presented in the Introduction is represented as 
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( + [0, n^l - [T4, n^l - [Te, Sig^^^p^{[n^, v, P])] ) 

Notice that the first node starts at time '0' which is not a universal '0' but a local 
start time for the agent who dons this strand. Also notice that the times on the other two 
nodes T4 and Tg are not fixed. The rationale for this is to be explained shortly. 

A set of semi-strands is called a semi-bundle. We will say that term t belongs to a 
semi-bundle S (i.e. t E S) if = term(n)) for some (n G s) and (s G S). 

A bundle is a possible protocol execution obtained by consistently instantiating all the 
variables in the semi-bundle and using — )■ edges between nodes on different strands. 

Definitions. [Bundle] A bundle is a collection of strands and an acyclic digraph 
defined on a mapping of nodes to edges — ?► and => such that if node n, sends a 
message that nj receives, then n„ Uj are related by the edge — > (denoted n, — > rij). 
Further, if there is a node n in the bundle that receives a term t, then there is another 
node m in the bundle, that sends t such that m ^ n. 

Note that this bundle is a 3-dimensional graph with strands located vertically anywhere 
in the cube. Nodes in a bundle are also related by precedence relation denoted -< which 
is a partial order: 

Definition 6. [Precedes] The relation < is defined such that if nodes ni, nj exist in 
a bundle C, then tii ^ tij if they are on the same strand with i < j; further, tii ^ tij if 
Hi —> rij. 

We will use -< on stand-alone strands in semi-bundles as well: Let s be a strand in 
a semi-bundle S. Then, (yni,nj E s){s E S){i < j ^ rii <nj). 

We do not include the notion of penetrator strands as in the classical strand spaces 
formalism of l|T4) . Rather, we consider a single penetrator also modeled as a single strand 
that captures all the "penetrator actions" in the bundle defined as below: 

Definition 7. [Penetrator action] A penetrator action is a sequence of edges — 
^2 => ^3 — > h where t2 =^ is an edge on the penetrator strand. 

The idea is that the single =^ edge in a penetrator action represents all the penetrator 
strands in the classical model of [14J to generate the term to be sent. Multiple penetrators 
could be added in the 3-dimensional cube if desired, although we only consider a single 
"Machiavellian" attacker with full control of the network in the spirit of |13 

Next we define the "elapsed time" between any two nodes n„ nj in a bundle C 
with n,- ^ Uj using the notion of weights and paths: 

Definition 8. [Weight or Elapsed time] The weight of an edge is the (absolute) 
difference in times between the nodes that are connected by the edge. A path is a sequence 
of nodes such that every node in the sequence is related to the subsequent node by a — > or 
a . The weight of a path is the sum of the weights of all the edges in the path. 



'"This might be unreaHstic in wireless networks, but the stronger model allows us to find all attacks including 
those imder weaker attackers. 
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We will denote the path between n, and nj as (n,, tij) when there is only one 
route between n„ and rij. 

The weight of a ±i => +t' edge should be preset and constant for each semi-strand. 
In the case of penetrator strand, those weights should be calculated using penetrator actions 
required to generate the + node. On the other hand, the weight of a ±f => —t' edge 
cannot be fixed since an agent can only know the length of time after which it sends a 
message, but cannot always predict when it might receive a message from another agent, 
accurately. 

Weights of — > edges indicate the time of traversal for messages which depends on 
the message length, distance and the velocity of the signal. We assume that there is an 
appropriate formula for an environment to calculate the weight of these edges, using those 
parameters. 

Definition 9. [Relay, Simple relay] A relay is a penetrator action +i — > — i 
+f — > — L A simple relay is a relay with the weight of the => edge being zero. 

We develop the notion of "ideal" and "real" bundles to distinguish protocol ex- 
ecutions where the penetrator plays a passive role of merely observing message exchanges 
between agents with those where she plays an active role of faking and changing messages. 

Definition 10. [Ideal and Real bundles] An ideal bundle B for a protocol P is a 
bundle formed from a semi-bundle S with exactly one semi-strand per parametric strand 
of P where every penetrator action is a simple relay +crt — ?► —at => +crt — )■ —at for 
some substitution a such that (Vs S S)((3s' G B){s' = as)). A real bundle is any 
bundle from any other semi-bundle from P. 

3 Extending constraint solving to find elapsed time 

We will now extend the constraint solving technique of [91 to give a "recipe" to produce 
the timed bundles defined in Section |2] including honest strands and the single penetrator 
strand with all the penetrator actions. 

The previous section only noted that weights of ± => + edges should be preset; this 
section will complete labeling of nodes since weights on ± — edges are calculated 
dynamically setting the times on '— ' nodes during protocol executions. The elapsed time 
between any two nodes in such bundles can then be calculated by summing up the weights 
on all the edges in the path between the nodes. 

Constraint solving is a procedure to determine if a semi-bundle is completable to a 
bundle using a substitution to variables. A constraint sequence is first drawn from node 
interleavings of the semi-bundle indicating that '— ' nodes should be derivable by the 
attacker with his actions and terms on all prior '+' nodes. 

Definition 11. [Constraint sequence] A constraint sequence C=(term(ni) : Ti, 
term(nif) : T]^) is from a semi-bundle S with k '—' nodes if (V n, n') ( ((term(n') : Tg 
C) A(term(n) G T)) ^ (n ^ n') ). Further, if i < j and rii, rij belong to the same 
strand, then rij ^ rij and (Vf)(T; C Tj+i). 
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We consider a set of attacker operators O and an infinite set of terms that can built 
using O on a finite set of terms T, denoted J^{T). Although our techniques in this 
paper are largely independent of the kind of operators in O, we will consider that they 
represent the standard Dolev-Yao attacker as defined in (91 • 

The possibility of forming bundles from a given semi-bundle can be determined by 
testing if constraint sequences from it are satisfiable: 

Definition 12. [Satisfiability, Realizability] A constraint is m : T is satisfiable 
under a substitution a if am ^ J^{T). A constraint sequence is satisfiable with a, 
denoted a \- C if (Vm : T G C){am G F{crT)). A '—' node is realizable if the 
corresponding constraint is satisfiable. A semi-bundle is completable to a bundle if a 
constraint sequence from it is satisfiable. 

Millen-Shmatikov have shown a constraint satisfaction procedure, denoted P that is 
terminating, sound and complete wrt O and T. P applies a set of symbolic reduction 
rules R to each constraint, in order to reduce it them to "simple constraints" (with only 
a variable each on the left side). We provide both P and R in Appendix [A} 

We will consider that each reduction rule in R corresponds to an attacker action and 
we will calculate the weights of edges of a bundle to be the sum of the times taken by 
each rule. 

In Appendix |A] we also give an algorithm denoted PB that produces timed bundles 
as defined in Section |2| using P to calculate the weights of edges. An example 

bundle generated for the Lowe's attack on the NSPK protocol |5| is also given in Appendix 



A.4 Further, we show in Appendix pi Theorem 16 that PB terminates and is sound and 



complete. 



4 Analyzing DB protocols 

We will now formalize secure distance bounding using the concept of ideal and real bundles 
defined in Section |2l 



4.1 Formalizing Secure Distance Bounding 

A DB protocol is used by a verifier v to establish an upper bound on the distance to a 
prover p. Ideally, if the following assumptions hold: (a) The positions of v and 
p are fixed, (b) The intervals between creating and sending messages are fixed, (c) v, 
p are honest and (d) There is no attacker; then there indeed exists an upper bound 
on the distance that can be calculated by calculating the elapsed time between two nodes 
Request and Response on v with Request a send node. Response a receive node and 
Request -< Response as explained in Section |2] 

We will call the nodes between Request and Response in the verifier strand of a DB 
protocol as the "DB part" and the other nodes as the "authentication part". Further, we 
will use the term "Time of Flight" or its abbreviation as ToF to refer to the elapsed time 
between Request and Response. 

Now the upper bound that is calculated by v can be lowered compared to the one 
obtained under ideal conditions, if (a) the ToF between its Request and Response is 
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lowered and (b) if v is sent all the messages in the protocol that it expects to receive from 
p. 

This is the main insight in defining secure distance bounding as a trace property: We 
first calculate the ToF under ideal conditions and check whether a "real" execution 
of the protocol in the presence of the penetrator can result in a calculation of ToF that is 
lower than the ideal value. Note that we assume weights of ±m +m' edges are set 
for strands in semi-bundles, by following the same measures to calculate time taken for 
message construction outlined in Section |3] 

Definition 13. [Secure Distance Bounding (SDB)] Let t and t' be the elapsed 
times in the verifier strand of an ideal and real bundle (B and B') respectively from 
a semi-bundle S, between the Request and Response nodes. Then Secure Distance 
Bounding (SDB) is satisfied in B', whenever t < t' . Conversely, SDB is violated in 
B' if t > t'. 

This definition is dependent on what we consider an ideal bundle to be. In Section |2| 
we defined it to be one with no penetrator actions, but when the penetrator is further from 
V than p is, we would need to make the bundle between the penetrator and v as the ideal. 



More on this is explained in Section 5.2 



5 Protocol execution scenarios 

Before explaining our technique to test protocols for violations of SDB, we will consider the 
scenarios under which a DB protocol can operate. 

5.1 Scenarios based on honesty of the prover 

We first consider scenarios in which the prover is honest or dishonest. 



Scenario A (honest prover). With the verifier, honest prover and an attacker, this scenario 
captures MITM/ Mafia attacks [3]. The attack described in the Introduction is one such 
attack. 



Scenario B (dishonest, colluding prover). With the verifier, dishonest prover and attacker, 
this scenario captures terrorist /collusion attacks [3J. Here, the prover colludes with an at- 
tacker who is presumably closer to the verifier, by passing some or all of its information 
including secret keys and messages (partial or full collusion). The protocol in Section [T]is 
vulnerable to such an attack (Fig. |2]a). 



5.2 Scenarios based on location of attacker 

Independent of the honesty of agents, we should also categorize protocol execution scenar- 
ios based on the location of the attacker in the network with respect to the verifier and the 
prover. 
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Figure 2: (a) Scenario B — colluding attacker (b) Scenario 2 — further attacker 

Scenario 1 (closer attacker). Attacker i physically closer to the verifier v than the 
prover p is. The first attack on PI described previously is an example for this scenario. 

In this situation, we can show that (a) if an attacker can generate all the messages 
expected by the verifier from the Request to the Response without those messages being 
sent by the prover and (b) if all other messages expected by the verifier can also 
be generated by the attacker (with or without those messages emanating from the prover), 
then SDB is violated: 

Theorem 14. Suppose to, ti, . . . , t^ are terms on m nodes on the verifier strand v 
with time of flight measured in between to and tm- Then, there exists a bundle with a 
violation of SDB if 

• the constraints {ti : Tq, . . . , t^ : Tm) are satisfiable where for i = to m, every 
t S Ti either belongs to Tq or a + node on v and every ti is a term on a — 
node on v; 

• all other — nodes in v are realizable. 

Proof. Please see Appendix |B| Theorem 17 

Scenario 2 (farther attacker). Attacker i is physically farther from v than p. Here, i 
tries to show itself closer to v by using the responses from p to c in the DB part, and 
then inserts its own messages for the authentication part. PI is vulnerable in this scenario 
as well (Fig. |2jb). 

This scenario is exactly opposite of Scenario 1: we just have to assume that the ideal 
bundle now is in between v and / instead of v and p. We should then analyze 
protocols for potential executions with p sending all the messages in the DB part and 
attacker sending the remaining messages. We prove this below: 

Theorem 15. Consider v, pi, p2 where d{v,pi) < d{v,p2). Let {to, . . . , tm) be 
nodes on v between which time of flight is measured. Then, there is a violation of SDB if 

• the constraints { ti : Ti, . . . , tm '■ Tm ) are satisfiable where for all i = \ to m, 
every tj is unified with some f'^ G T,- where t\ is a term on pi. 

• All other '—' nodes of v are realizable without unifying with any subterms of p\. 



Proof. Please see Appendixpl Theorem 18 
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6 Implementation and Examples 

We now present some example protocols and their analyses using our technique. We tested 
all the protocols in the Constraint Solver tool with the scenarios and results in Section |5] We 
hosted all the protocols and scenarios in our on-line demo which can be tested with the click 
of a button. Here, we will present only the most interesting attacks and at least one per type 
of scenario. 

It is worth mentioning that we made a simple change to the solver: we restricted it to 
consider only those node interleavings wherein the Request and Response nodes in the 
verifier strand immediately follow each other. We show in Appendix |C] that this is required 
to ensure soundness and that it preserves completeness wrt Def[l3} 

In all the protocols below, distance bound, d = ^'^ 2 ^ s verifier fixes S2 as a con- 
stant for a given protocol. Further to save space, we simplified some bundles by removing 
simple and insignificant relays. 



6.1 P2 - Brands and Chaum ^ 

The original Brands-Chaum protocol is a bit tricky with commit, rapid bit-level exchange 
and authentication/ sign phases, and XOR operator that is not modeled by the solver. Hence, 
we analyzed an approximate version (Fig. |3]a). 
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Figure 3: (a) Brands-Chaum protocol P2 (b) Actual solver trace of the MITM Attack on P2 
(NOTE: nv+np = [^i,]^, [nv, np] /pk (p) = Sig^j^f^^^lriy, rip]; Request and Response 
nodes were coded as req(nv) and resp (nv+np) ) 



Notice that there is a pre-commitment of nonce Np by P. Brands and Chaum specify 
that messages 3 and 4 should be bit-by-bit exchanges with the round-trip time calculated as 
the average of all the bit exchanges. Since the exchange is rapid and no other messages can 
interfere during the exchange, we felt it safe to model the protocol with just one of those 
message exchanges. Also, Ny^BNp was modeled as [Ny]^ . 
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Honest prover. Closer attacker. Following our results in Section|5j we removed the nodes 
in the DB part in the prover strand and found an MITM attack on P2 which was similar to 
the MITM attack on PI shown in the Introduction: Attacker simply sends all the messages 
except the signature to the verifier and later sends all of them to the prover. Finally, she 
relays the signature from the prover to the verifier. The solver found three different attack 
traces with three different node interleavings all essentially the same attack (Fig. |3jb). 

The original Brands-Chaum protocol actually requires that the commitment Np be 
secretly exchanged between V and P. With this requirement, the protocol forms a nice 
counter-example to Theorem [M] not all constraints corresponding to messages between 
Request (Msg 2) and Response (Msg 4) are satisfiable. When we made this change in the 
solver, it did not report an attack. 



Dishonest prover, closer attacker. Obviously, revealing the nonce Np (the commitment) 
to the attacker before hand allowed the attack (partial collusion) and of course, full collusion 
worked too. In any case, Brands-Chaum seems stronger against collusion than PI since it 
requires sharing of Np for the attack to succeed. 



Farther attacker. This protocol also forms a nice example to test under Scenario 2. As- 
suming that the attacker is further away from the verifier, we followed our guidelines in 
Section |5] and removed the nodes in the DB part in one strand, while removing the signa- 
ture (Msg 5) in another strand. The solver then output an attack where the agent whose DB 
part was removed looks closer than it is to the verifier (see Appendix [D]|. 

6.2 P3 - Meadows et al. U 

P3 below was recently proposed in ||8l (Fig. |4]a). 
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Figure 4: (a) Meadows et al. protocol P3 



(b) MITM Attack 
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Honest prover, closer attacker. P3 is actually quite similar to P2 and Brands-Chaum 
but with some crucial changes. Even without any commitment step, it was not vulnerable 
to the MITM attack that we presented in Section 6.1 even though the nonce Np is sent in 
plain in Msg 3 unlike Brands-Chaum that does not disclose it. This shows that sending Np 
before the Response (Msg 3) was the fatal mistake in P2. 

In any case, thus we believe that P3 is stronger than P2 and also the Brands-Chaum 
protocol since it does not require a previous set up to enable secure commit. 



Dishonest prover, closer attacker. P3 is vulnerable with partial collusion when i re- 
sponds with Msg 2 and forwards n-o, and n, to p later so that it can send the signature 
in Msg 5 to V with n-o, tii, and other elements. However, p does not share any secrets 
with i to enable this attack. Hence, this protocol seems weaker than Brands-Chaum in 
this aspect. 



Farther attacker. P3 is also vulnerable to the "nearest-neighbor" attack that P2 
was, if we assume verifier does not know who it is talking to before receiving the signature 
in the final message. However, it would be unreasonable to make this assumption since 
the prover identity is explicitly included in the prior messages. Hence, we instantiated the 
prover variable P to a ground atomic value in the verifier strand when we tested this 
protocol, whence we could not reproduce the "nearest-neighbor" attack. 



Tweaking P3. Since the protocol was resistant to all other scenarios except collusion, we 
tweaked with the protocol to appreciate the significance of individual elements and their 
placement in messages. We could not find the use or purpose of the field POSp described 
anywhere in [8J but removing it did not reveal any new attack. It is interesting to ask if the 
nonce Np inside Msg 4.2 is necessary. Removing it revealed an attack (Fig. |4]l 

6.3 P4 - Guttman et al. HH 

P4 differs from all others in having more than one encrypted message in the authentication 
part, seemingly extending the NSPK/NSL protocols (Fig. |5]a). 

We analyzed this protocol with one strand per role in Scenarios A and 1; i.e. we con- 
sidered an honest verifier B and an honest prover A with a MITM attacker who is 
physically in between them. Further, as usual, we tied the Request (Msg 4) and Response 
(Msg 5) together in the node interleaving. Without 'B' in Msg 2, the solver reported the 
trace with a MITM attack termed "Lowe style" attack in |4| (Fig. |5]b). 

In the trace, the attacker plays MITM between a and b and learns k. Then, 
the Response [n, na] is sent from the attacker's location, which is physically closer to the 
verifier b, violating SDB and also follows it up with an authentication of the challenge n 
in the last message ([n, ^2]^)- 

The crux of this attack is the attacker's ability to satisfy both the conditions in The- 
orem 14 Satisfying the DB Part is trivial, but satisfying the authentication part is possible 
only by breaking the secrecy of k since it is required to construct the last message, [n, ^i]]^- 
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|[ Msg! [W^,JC,fi]-.^, I 



o <- 



^ Msg 3. [Jt]-, 



IpifB) 



Msg 4. N 



Msg 5. N e 
'- ^ o 



V Msg 6. [N, tfilx 
o '- >■ o 



I 



[na, a]»pk(e) 



[na, k]-pk(a) 



k*pk(e) 

v_l 



[ na , a ] •pk ( b J 



[na, k].pt(a) 



I'Bspf [n, na] ) 



Figure 5: (a) Guttman et al. protocol P4 (b) Screen-shot of attack trace from the 

solver on the new Guttman et al.'s protocol. Note: v_l, v_2 are variables; [ t ] * k = [t]]^ , 
[t]+k = Mf. 



With larger semi-bundles/ runs, more attacks could be possible by failing authentica- 
tion even after the inclusion of 'B' in Msg 2; E.g., see attacks on NSL given in [|9l|. 

7 Conclusion 

In this paper, we described a method to automatically analyze distance bounding protocols. 
We formalized the main property of secure distance bounding and explained how violations 
of it can be tested using the constraint solver. We also illustrated our technique by presenting 
analyses of some published protocols. 

A natural extension to our work is to extend it to unbounded analysis since the con- 
straint solver only considers bounded number of protocol processes. Unbounded verifica- 
tion tools such as ProVerif could be extended by tying the Request and Rapid Response 
together in the node interleavings as explained in Section |6| to produce attacks or to prove 
the absence of. In the case of ProVerif, this is as simple as adding four events in the 
protocol, two each for the verifier and prover in the protocol, corresponding to sending 
and receiving the Request and Rapid Response respectively. No other change in the tool is 
required. 

Other areas for future work include extending our framework with multiple penetra- 
tors in the 3D space, analyzing other properties in this model such as denial of service, ob- 
taining decidability results for distance bounding, and testing protocols with a more power- 
ful solver that considers message operators with algebraic properties such as Exclusive-OR. 

Recent related work. While the work in this paper was in progress, a related approach 
to verifying DB protocols using Isabelle/HOL was also in progress and is about to appear 
in |IT2J . Being a verification effort, that approach differs from ours in the classical way that 
model checkers differ from theorem provers: the former tests for attacks while the latter 
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proves the absence of. However, our approach can also be extended easily to unbounded 
verification with ProVerif, as explained above. ProVerif usually verifies protocols in a 
fraction of a second, faster than most theorem provers. But to be fair to the authors of IIT2l , 
they consider other protocols used in wireless networks, not merely distance bounding as 
we did. In that sense, their work can be considered more elaborate than ours. 
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A Constraint solving HD 

A.l Reduction Procedure P 

C := initial constraint sequence 
a:=0 

repeat 

let c* = m : T he the constraint in C 

s.t. m is not a variable 

if c* not found 

output Satisfiable! 
apply rule (elim) to c* until no longer applicable 
Vr e R 
i f r is applicable to C 
{C;a') ■.= r{C;a) 

create node with C; add C — ?► C edge 
push {C';a') 
(C; c) := pop 
until emptystack 

Reduction Procedure P HI 



A.2 Set of reduction rules, R 

C<, m : T, Cy} a 



tC<, tC>; t U cr 

C<, [mi, mi] : T, C>; (7 



where r = mgu(m, A f G T (wn) 



C<, mi : T, m2 : T, C>; C7 
C<, /2(m) : T, C>; cr 



(hash) 
(penc) 



C<, m : T, C>; a 

C<, [m]^ : C>; 
C<, k : T, m : T, C>; (T" 

C<, [m]^ : C>; cr 
C<, k : T, m : T, C>; cr 

sigp),(^)(m) : C>; 
C<, m : T, C>; (T" 

C<, m : [^1,^2] U T, C>; a 
C<, m : ti U t2 U T, C>; (7 

: [^]p^(e) U T, C>; C7 
C<, m : t U T, C>; cr 

C<, m : [^]^ U C>; t7 
T C<, T m : T [i]^ U T T, T C>; t U (j' 



[senc) 

(sig) 
{split) 

(pdec) 
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where t = mgu.{k,pk{£)),k 7^ pk{£) (ksub) 

C<, m : [t]p U T,C>;cr 

^ ; 7^ ^ ; — (sdec) 

C<, k : T, m : T U t U k, C>; cr ^ ^ 

A.3 Algorithm PB 

We describe a simple extension to P to generate bundles from satisfiable constraint se- 
quences which in turn were generated from strands in a semi-bundle. Further, a single 
penetrator strand with the number of nodes equal to the sum of the nodes in the semi- 
bundle that captures all the reduction rules applied to generate terms on — nodes or solve 
constraints. We name this new algorithm, PB. 

In PB, we will assume a look-up table such as below to find out the weights correspond- 
ing to each attacker action. 



Action 


Parameters 


Time taken 


pair 


mi,m2 


(mi.len + mi.len) 


split 


[mi, mi] 


{nil + wz2).len 


senc, sdec 


{m,k} 


m.len x k.len 


penc, pdec 


{m,k} 


1000 X m.len x k.len 


hash 


m 


m.len x 10 


sig 


{m,k} 


1000 X m.len x k.len 



Note: m.len denotes the number of bytes in m. 

As is obvious from the above table, we adopt the well known fact that asymmetric key 
encryption /decryption is about thousand times slower than its symmetric counterpart. 
Note that rules un and ksub do not correspond to any penetrator action but only generate 
the substitution required to complete the semi-bundle to a bundle. 

The time of traversal for a message depends on the message length, distance and the 
velocity of the signal. We assume that there is an appropriate formula for an environment 
to calculate that time, using those parameters. 

Algorithm ProduceBundle 

Input: Semi-bundle S, Constraint solving procedure P 
Output: Bimdle. 

1 Draw all the strands in S (with => edges) 

2 Label nodes on each strand with (time, sign, term) 

3 for each node merge J\f from S 

4 Generate a constraint sequence C and solve C with P 

5 if C not satisfiable, continue; 

6 for each successive node m in A/" 

7 draw a penetrator node n connecting it to the 

8 previous node on the same strand using a 

9 if sign(m)='-|-' then 
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10 draw an edge — > between m, n; 

11 update time on n as time(m) + weight(m, n); 

12 if sign{m)=' —' then 

13 mark the weight of => edge as the sum of weights 

14 of all the rules applied to satisfy the constraint; 

15 draw an edge — > between n, m; 

16 update time on m as time(n) + weight(n, m); 



A.4 Algorithm PB - An example 



Consider the Needham-Schroeder Public-Key (NSPK) protocol |T0| : 



11 ^21 

^ lNA,NB]pt(A) ^ 

12^ 22 



13 



[NB]pi(B 



■23 



Following our procedure PB, we first draw the semi-strands a for A and b for B. We 
then consider the node merge (11,21,22, 12,13,23) and from it the constraint sequence, 
(21 : 11,12 : {11,22},23 : {11,22, 13}). This sequence wiU reveal Lowe's attack on NSPK 
0. 

Following our algorithm, 

1. we first add a penetrator node el and to it a — > edge from 11, 

2. send [n^, a]pk{e) with it's weight as the product of the distance between a and the pen- 
etrator e, the length of the message [ria, fl]p)t(e) ^rid the velocity of the signal, 

3. update the time on el with that weight counting the time on node 11 as zero, 

4. add a => edge from el to a second penetrator node el, it's weight i^i being the sum 
of all the rules to solve the first constraint and generate the term on node 21; i.e. Si = 
time taken to apply pdec, split, pair and penc after appropriately parameterizing with 
message and key lengths, 

5. update the node's time as the weights of edges 11 — ?► el and el el and add a — > 
edge from e2 to 21. 



Similarly, we can finish the other nodes following their order in the node merge: 
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a 
11 



e 

el 

h 

el- 



12- * eA 

13 ^e5 



•■53 



IS5 



e6 



[n„,nt\j,k(„) 

e3 ^ 



Wb]pk{b) 



■21 



■22 



•23 



B Proofs 



Theorem 16. [Termination, Soundness and Completeness] 

Algorithm PB terminates and is sound and complete. 

Proof. 

Consider the steps in the algorithm PB sequentially: 

1. PB draws finitely many strands each with finitely many nodes from a given semi- 
bundle S; 

2. Next, it generates finitely many node merges J\f and solves each of them using P which 
is proven to be terminating, sound and complete p^ll; 

3. Finally, it loops for all the finitely many nodes in J\f. In each iteration, it performs all 
atomic actions, namely drawing a node or an edge and updating times on node labels; 
The only non-atomic action is the adding of weights of all the finitely many reduction 
rules to solve a constraint. 

Since all the above are finitely many actions, PB terminates. Further, its soundness 
and completeness follow directly from those properties of P and since every node in the 
semi-bundle is handled. 



As promised in Section 5.2 below we prove that in Scenario 1, if an attacker can gener- 
ate all the messages expected by the verifier from the Request to the Response without those 
messages being sent by the prover, then SDB is violated if all other messages expected by 
the verifier can also be generated by the attacker with or with out those messages emanating 
from the prover. 

Theorem 17. 

Suppose to, fi, . . . , tm are terms on m nodes on the verifier strand v with time of flight 
measured in between to and tm- Then, there exists a bundle with a violation of SDB if 

• the constraints {ti : Tq,. . . ,tm '■ Tm) are satisfiable where for i = to m, every t G T, 
either belongs to Tq or a + node on v and every ti is a term on a — node on v; 

• all other — nodes in v are realizable. 
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Proof. Let the ideal bundle in between v and a prover p be denoted B. Let the distance 
between v and p be d{v,p). Let the distance between v and i be d{v,i) and let d{v,i) < 
d{v, p); i.e., any edge between a node on o to a node on i will have lesser weight than the 
edge from v to p when the same number of bits are transmitted on the edges. 

Say the path between and is w in B. Now consider a real bundle B' where every + 
node on v between and tm is connected to a — node on i and vice-versa (which is possible 
since every — node on v is satisfiable without terms from p). Since the weights of ± => + 
are preset in the strands v and p, the weights of those edges will be equal in both / and p. 
Hence, the weight of the path between fo arid tm in B' will be lesser since the weight of the 
only remaining — > edges are lesser as explained above. 



Hence, by Def. 13 there is a violation of SDB in B'. 

We also prove that we can find attacks in Scenario 2 of Section |5.2[ by analyzing pro- 
tocols for potential executions with p sending all the messages in the DB part and attacker 



sending the remaining messages, as promised in Section 5.2 
Theorem 18. 

Consider v, pi, p2 where d{v, pi) < d{v,p2). Let (fo, • • • , tm) be nodes on v between 
which time of flight is measured. Then, there is a violation of SDB if 

• the constraints {ti : Ti, . . . , : T,„) are satisfiable where for all i = 1 to m, every tj is 
unified with some t[ G T, where f ■ is a term on pi . 

• All other '—'nodes ofv are realizable without unifying with any subterms of pi. 

Proof. Consider the ideal bundle to be between v and p2 denoted as B and let the time 
of flight in B be w. 

Now consider another bundle B' produced by PB wherein every m ^ n edge is such 
that m has one oHq,..., tm as a term and n is a node on pi. 

This is possible since every constraint {ti : Ti, . . . , f„, : Tm) is satisfiable by unifying 
with a term in pi resulting in the attacker edge having a weight 0. In this situation, 
an equivalent bundle can be produced where the attacker action m — > Cj — > n (for 

some nodes e, and ey on the attacker strand) is replaced with a straight edge m ^ n. Since 
d{v, pi) < d{v, P2), the sum of weights of those edges in B' will be lesser than B. Further, 
the weights of ± + edges for pi in B or p2 in B' will be equal since they are preset and 
constant from assumptions in the protocol model. 



Thus, by Def. 13 there is an attack on SDB in B'. 

We supplement these results with some general results on collusion. These results will 
show that collusion is in general impossible to prevent. However, while in some cases it 
works without any shared secrets between the prover and attacker, in some other cases it 
necessarily requires at least some shared secrets. 

Corollary 19. [Full collusion] 



It can be easily seen from the proof of Theorems 17 and 18 that if p colludes with i and 
shares all its secrets with i, then it results in a direct violation of SDB since i can send all the 
messages expected by v without any involvement from p; i.e., all the constraints from v's 
strand are satisfiable without the prover strand p at all and due to i's closer proximity, the 
weight of the path from the Request to Response used to calculate ToF will be lesser. 
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Corollary 20. [Partial Collusion] 

This collusion attack can work even under partial collusion; i.e., if p initially shares 
with i only those subterms that are needed to satisfy all the constraints between Request and 
Response, then from the proofs it can be easily seen that this is sufficient for an attack on SDB 
by simply relaying all the other messages from p tov that are not used to calculate the ToF. 

Corollary 21. [Preventing collusion] 

A simple way to prevent collusion is by measuring time of flight between encrypted 
messages, some of which must be decrypted with a private key known only to the legitimate 
but dishonest and colluding prover. In such a situation, violation of SDB is possible only 
when the prover shares its private keys or secrets with the attacker so that all the constraints 
in the DB part are satisfiable without the nodes from the prover strand. 

There might be situations where provers collude with others, but do not want to share 
all their information, especially long-term keys or private keys. In those cases, collusion at- 
tacks can be prevented by measuring ToF between encrypted messages as explained above. 

Corollary 22. [Collusion possible in both scenarios] 

These observations are true whether i is close to v than p or otherwise. In the case of 
i being further from v than p, under collusion, p attempts to deliberately make i appear 
closer. 



C Soundness and Completeness of implementation 



We will now prove soundness and completeness of our implementation wrt Def. 13 We 
make two assumptions about DB protocols for these results: 

Assumption 1 Request and RapidResponse are the only two consecutive nodes between which ToF 
is measured. 

Assumption 2 The elapsed time between the prover receiving the Request and sending the RapidResponse 
is lower than the weight of^+ edges in the verifier or the prover strands. 

DB protocols for networks with stringent time and resource constraints such as sensor 
networks, must satisfy both these assumptions El HI. 

C.l Soundness 



The implementation can be considered sound wrt Def. 13 if all the real bundles produced 
by the tool necessarily violate SDB. In other words, every bundle that is produced should 
have the ToF lesser than the ideal bundle. 

We made a minor change to the original constraint solver by Millen-Shmatikov to 
achieve soundness: we restricted it to consider only those node interleavings wherein the 
Request and Rapid Response nodes in the verifier strand immediately follow each other. 
We then tested protocols by following the results of Theorems 14 and 18 in Section |5] 



To see why we restricted the interleavings, consider the following two bundles out- 
put by the solver for the extended-Echo protocol PI introduced in Section [l] (below m = 

[ny, V, p]): 
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These bundles were produced in an honest prover scenario with attacker closer to the 
verifier. Now the conditions of Theorem 17 are satisfied in both the bundles; i.e., the mes- 
sages in the DB part are satisfiable without the send node in the prover strand to send the 
Rapid Response, and the signature is realizable as well. Yet, only the bundle on the left ob- 
viously has a violation of SDB since its ToF (Si) is lesser compared to the ideal case. On 
the other hand, the one on the right has its Si larger than the ideal case. 

The reason is that the bundle on the right was found on an interleaving where Request 
and Rapid Response do not immediately follow each other. In this case, output of algorithm 
PB produces a path {Request, Rapid Response) that is heavier than a path between the same 
nodes in the ideal bundle, since it has to draw the edges corresponding to other realizable 
nodes before it draws the edges for the Rapid Response node. 

Theorem [T7| merely states that an attack bundle exists but does not point to it precisely. 
Restricting interleavings in this fashion restricts the solver so that every bundle it produces 
is necessarily an attack bundle, thereby achieving soundness. 



C.2 Completeness 

By restricting interleavings do we lose any attacks? We can easily prove that we do not. 
Firstly, let us note that every bundle produced by the solver after restricting interleav- 



ings is similar to the bundle on the left given in Section C.l i.e., bundles where the attacker 
receives the Request and immediately sends the Rapid Response back to the verifier, 
without sending or receiving any other messages in between. To prove completeness, we 
will show that these are the only bundles where there is a violation of SDB. 

To achieve a contradiction, consider the bundle below, which is not produced by the 
solver when we restrict interleavings (the attacker does not send the Rapid Response im- 
mediately after receiving the Request): 
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V 

(1> 



(2) 

(1) 



P 

(4) 



Call this bundle B. Say there is a violation of SDB in B when the ideal bundle is 
between v and p. That means, the weight of the path (2, 7) is lower than the weight 
of edge (2,3) in the ideal bundle B' below between v and p (note that the weight of 

edges in the path (1, 8) in B is equal to the weight of — ?■ edges between (1, 4) 
in B'y. 



V V 




Now the weight of (2, 3) + (3, 6) + (6, 7) in B is obviously more than the weight 
of edge (4, 5) in B. From above, since there is an attack in B, the weight of 
(2, 3) + (3, 6) + (6, 7) must be lesser than (2,3) in B' . However, the weight of (4,5) 
in B itself is greater than or equal to the weight of (2,3) in B' from Assumption [2| a 
contradiction. 

If B depicts a violation of SDB in the farther attacker scenario (i.e., p' is a prover 
strand), then by Assumption|2| the weight of (2, 3) + (3, 6) + (6, 7) in B will be heavier 
than (2, 3) in B', again a contradiction. 

Finally, if there is a bundle with ToF lighter than (1,4) in B' that is not produced 
by the solver, then it must be from a node interleaving with a maximum of one send or 
receive node per strand in between Request and Rapid Response. For instance, bundle 
B" below: 



V p' 




However, an attack on bundles such as these also implies an attack on a bundle where 
node 3 occurs before node 2 or after node 4, which are indeed produced by the solver. 

Thus, by restricting interleavings to just those with [Request, Response) tied together, we 
do not lose any attack. 
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D More attacks 

D.l P2 - Brands & Chaum 

Farther attacker. This protocol forms a nice example to test under Scenario 2. Assuming 
attacker is further away from the verifier, we followed our results in Section|5]and removed 
the nodes in the DB part in one strand while removing the signature (Msg 5) in another 
strand. The solver then output the following attack simplified by removing some relays: 



V V 



-< o 

1 4 



^4 e «p ¥^ 



\ S'Spk(p) i""' "p] 



Sigpk(i)[nv, np] 



Here, / is further away from v than p and possibly out of a range that v wishes 
to include nodes. / then lets p respond to v's request, obstruct its authenticated 
response (Msg 5) and substitutes its own message signed with its own private key. 

Obviously, this attack cannot work with the prover identity inside the signature, but 
only when the verifier uses the protocol to find its nearest neighbor. 



